what would cause sql to return reject response?

Mon Feb 11 17:33:34 CET 2019

basically i have developed a full web gui for mikrotik routers and
freeradius to work as a hotspot where the web gui talks to the sql db
directly and the user can create plans which would be the radius groups
and associated check and reply attributes. I have created a disable
client account option which deactivates the account and what i saw in
daloradius was it used to create a disabled group with priority 0 and
sets the Auth-Type attribute to Reject, i know the docs mention not the
set the auth-type directly but i dont see a way to do it directly in FR
so i followed the same method and the reason i was assuming the sql
module would reject seeing the auth-type to reject using the reject
response but later noticed it would never respond with reject. I
searched all docs and the book but no place it mentions under what cases
sql module would respond with reject and i wanted to sql module to
reject so i can reply with "account disabled" and not have the rest of
the authorize section to execute coz later down the section i have a
call to a php script and im trying to reduce calls to it unless the
account is enabled and id/pass match 

On 11-02-2019 19:37, Alan DeKok wrote:

> On Feb 11, 2019, at 10:23 AM, Bipin Patel via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote: 
> 
>> i have the below in authorize
>> 
>> sql {
>> notfound = 1
>> reject = 2
>> }
> ... 
> 
>> but the reject response is never generated from the sql module,
> 
> Because the SQL module does not authenticate a user.  SQL is a database.  FreeRADIUS just looks the user up in the database.  The answer is either "yes, the user is there" or "no such user in the database".
> 
>> if the username doesnt match it generates the notfound and if password doesnt match the pap module rejects the request and sql responds ok but what i want is the sql module to generate the reject response.
> 
> Why?
> 
> This is the typical issue of you have a solution in mind, and you're wondering how to implement it.  And, why the server doesn't behave the way you expect.
> 
> You should instead discuss the *problem* you're having.  Why is it important for "sql" to reject the user, instead of "pap" ?
> 
>> can anyone guide me under what circumstances does the sql module generate a reject response coz i tried setting Auth-Type attribute to reject but still sql doesnt generate reject
> 
> The SQL module never rejects a user.
> 
> You might have 4 different databases for users.  It is *wrong* for the SQL module to reject a user.
> 
> Alan DeKok.